Re: Column level privileges was:(Re: Extending grant insert on tables to sequences)

On Thu, Jul 24, 2008 at 12:09 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Jaime Casanova" <jcasanov(at)systemguards(dot)com(dot)ec> writes:
>>> Another issue is the interaction with the planned column-level GRANT
>>> feature.
>
>> Although that is a feature we want, is a WIP one... do we stop patches
>> because it can conflict with a project we don't know will be applied
>> soon?
>
> Well, considering that that one is implementing a feature required by
> SQL spec, your feature will lose any tug-of-war ;-).

i knew the answer already but...

ok, seems this is the last one for column level patch
http://archives.postgresql.org/pgsql-patches/2008-04/msg00417.php

any one working it...

--
Atentamente,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 87171157

* Jaime Casanova (jcasanov(at)systemguards(dot)com(dot)ec) wrote:
> ok, seems this is the last one for column level patch
> http://archives.postgresql.org/pgsql-patches/2008-04/msg00417.php
>
> any one working it...

Yes, I'm working on it, but I'm not against having help, of course. The
past couple weeks have been given over to commitfest though, so I havn't
made much progress on it yet. My plan is to focus on it during August
and have a good patch to submit for the September commitfest.

Thanks,

Stephen

On Fri, Jul 25, 2008 at 4:51 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Jaime Casanova (jcasanov(at)systemguards(dot)com(dot)ec) wrote:
>> ok, seems this is the last one for column level patch
>> http://archives.postgresql.org/pgsql-patches/2008-04/msg00417.php
>>
>> any one working it...
>
> Yes, I'm working on it, but I'm not against having help, of course. The
> past couple weeks have been given over to commitfest though, so I havn't
> made much progress on it yet. My plan is to focus on it during August
> and have a good patch to submit for the September commitfest.
>

seems like a plan to me... do you have a repository for it? or can you
send me the patch in early august?

--
regards,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 87171157

On 7/25/08, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Jaime Casanova (jcasanov(at)systemguards(dot)com(dot)ec) wrote:
> > ok, seems this is the last one for column level patch
> > http://archives.postgresql.org/pgsql-patches/2008-04/msg00417.php
> >
> > any one working it...
>
> Yes, I'm working on it

hi, any work on it? may i help?

--
Atentamente,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Guayaquil - Ecuador
Cel. (593) 87171157

Jaime,

* Jaime Casanova (jcasanov(at)systemguards(dot)com(dot)ec) wrote:
> On 7/25/08, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > Yes, I'm working on it
>
> hi, any work on it? may i help?

If you look at the commitfest, I've posted my WIP so far there. Most of
the grammer, parser, and catalog changes are there. There's a couple of
bugs in that code that I'm working to run down but otherwise I think
it's pretty good. I do need to add in the dependency tracking as well
though, and that's what I'm planning to work on next.

A piece which can be broken off pretty easily is adding support to track
the columns used through to the executor so we can check the permissions
in the right place.

You should review Tom's #2 comment here:
http://archives.postgresql.org/pgsql-patches/2008-05/msg00111.php

Let me know if you'll be able to work on this or not. If not then I'll
get to it after I'm happy with the other pieces of the patch.

Thanks,

Stephen

Jaime,

* Stephen Frost (sfrost(at)snowman(dot)net) wrote:
> * Jaime Casanova (jcasanov(at)systemguards(dot)com(dot)ec) wrote:
> > On 7/25/08, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > > Yes, I'm working on it
> >
> > hi, any work on it? may i help?
>
> If you look at the commitfest, I've posted my WIP so far there. Most of
> the grammer, parser, and catalog changes are there. There's a couple of
> bugs in that code that I'm working to run down but otherwise I think
> it's pretty good. I do need to add in the dependency tracking as well
> though, and that's what I'm planning to work on next.

I've now added dependency tracking and worked out a few kinks in the
code, both existing previously and from adding the dep tracking. I'd
really like to simplify things in aclchk.c, perhaps by factoring out
more common bits into functional pieces, but it's been kind of a bear so
far.

The dependency tracking is being done by continuing to treat the table
as a single entity and just figuring out the total set (including all
column-level permissions) of roles for the entire table, rather than
introducing the sub-object concept. This requires a bit of extra effort
when doing DDLs and GRANTs but simplifies the dependency tracking
itself, especially since we have to keep track of both table-level
permissions and column-level permissions seperately.

I'm open to other suggestions/comments. If people feel the sub-object
is a better approach, it would get somewhat more awkward because we'd
have to handle the relation-level dependencies as well as the
column-level ones. Not impossible to do, of course, but a bit more
complicated than how it was done originally.

> A piece which can be broken off pretty easily is adding support to track
> the columns used through to the executor so we can check the permissions
> in the right place.

Jamie, have you had a chance to work on this? It's next on my list and
I'll start working on it tonight unless you've had a chance to get to
it. Please let me know.

Thanks,

Stephen

On 9/17/08, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
> > A piece which can be broken off pretty easily is adding support to track
> > the columns used through to the executor so we can check the permissions
> > in the right place.
>
> Jamie, have you had a chance to work on this? It's next on my list and
> I'll start working on it tonight unless you've had a chance to get to
> it. Please let me know.
>

not really, i start to read the code... but was interrupted for a new
task... (if we only could send kill -9 signals to work tasks ;)

--
regards,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Asesoría y desarrollo de sistemas
Guayaquil - Ecuador
Cel. +59387171157